Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Similar documents
Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Evaluating the Security of Your IT Network. Vulnerability Scanning & Network Map

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA Security and Privacy Policies & Procedures

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Putting It All Together:

The ABCs of HIPAA Security

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

All Aboard the HIPAA Omnibus An Auditor s Perspective

The Relationship Between HIPAA Compliance and Business Associates

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Data Backup and Contingency Planning Procedure

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

Meeting the Meaningful Use Security and Privacy Measure

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA Security Rule: Annual Checkup. Matt Sorensen

HIPAA Privacy, Security and Breach Notification

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

Technology General Controls and HIPAA Security Compliance: Covering the Bandwidth in One Audit

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Security and Privacy Breach Notification

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Update from HIMSS National Privacy & Security. Lisa Gallagher, VP Technology Solutions November 14, 2013

What s New with HIPAA? Policy and Enforcement Update

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

Meaningful Use Webcast

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

EXHIBIT A. - HIPAA Security Assessment Template -

Hospital Council of Western Pennsylvania. June 21, 2012

Healthcare Privacy and Security:

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

The simplified guide to. HIPAA compliance

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance

HIPAA 101: What All Doctors NEED To Know

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

SECURITY & PRIVACY DOCUMENTATION

2015 HFMA What Healthcare Can Learn from the Banking Industry

HIPAA Security Manual

Security and Privacy Governance Program Guidelines

HIPAA Compliance Checklist

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

HIPAA SECURITY RISK ASSESSMENT

HIPAA & Privacy Compliance Update

Technology Security Failures Common security parameters neglected. Presented by: Tod Ferran

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

HIPAA Compliance Assessment Module

HIPAA Cloud Computing Guidance

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Regulation P & GLBA Training


The Security Risk Analysis Requirement for MIPS Transcript from Live Webinar

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Mobile Technology meets HIPAA Compliance. Tuesday, May 2, 2017 MT HIMSS Conference

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

Applying ISO and NIST to Address Compliance Mandates The Four Laws of Information Security

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

HIPAA Privacy, Security and Breach Notification 2017

Overview of Presentation

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

HIPAA Security Checklist

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

HIPAA Security Checklist

Physician Office Name Ambulatory EHR Security Risk Analysis

HIPAA Privacy, Security and Breach Notification 2018

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Version 1/2018. GDPR Processor Security Controls

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Not Just Another Day of HIPAA

PLEASE NOTE. - Text the phrase MICHAELBERWA428 to the number /23/2016 1

[DATA SYSTEM]: Privacy and Security October 2013

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Horizon Health Care, Inc.

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

Information Security Policy

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

Transcription:

Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1

Who is M-CEITA? Michigan Center for Effective Information Technology Adoption (M-CEITA) One of 62 ONC Regional Extension Centers (REC) providing education & technical assistance to primary care providers across the country Founded as part of the HITECH Act to accelerate the adoption, implementation, and effective use of electronic health records (EHR), e.g. 90-days of MU Funded by ARRA of 2009 (Stimulus Plan) Purpose: support the Triple Aim by achieving 5 overall performance goals THETRIPLE AIM Improve patient experience Improve population health 3Reduce costs Improve Quality, Safety & Efficiency Engage Patients & Families Performance Measurement Improve Care Coordination Improve Population And Public Health Meaningful Use Ensure Privacy And Security Protections Certified Technology Infrastructure 2

M-CEITA's Performance 5,000+ providers enrolled for M-CEITA support, impacting over 2 million patients 4,100+ providers are live on EHR 3,000+ have achieved Meaningful Use standards Latest survey shows 99% of M-CEITA customers are satisfied with services 3

M-CEITA Subsidized Services for Providers M CEITA Service Delivery Engagement Establish baseline performance, educate EHR Selection (if needed) Guidance for 2014 certified products Planning Develop transition plans Identify key process changes Implementation Establishing timelines for project mgmt. PCP (Medicare/caid) Specialists (Medicaid Only) Meaningful Use Support MU objectives Assist with registration & attestation 4

M-CEITA s Services Our services are highly subsidized for qualified physicians. These Health IT services include: Meaningful Use Support Security Risk Assessment Targeted Process Optimization (Lean) Attestation/Audit Preparation 5

Security Risk Assessment 6

Risk People want to get value from the world The world can be dangerous People want to be secure from dangers How do we get security in an insecure world? 7

HIPAA Security Rule Title II Administrative Simplification Security Rule Security Standards Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedures Documentation Requirements 8

SRA as part of the HIPAA Security Rule 45 CFR 164.308(a)(1) Risk Assessment Risk Management Sanction Policy Information System Activity Review Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. 9

SRA as a Meaningful Use requirement: Core Objective Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities Measure Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. 10

HHS Office for Civil Rights (OCR) Final Guidance Scope must include all ephi in organization Data collection and methods must be documented Identify and document anticipated threats and vulnerabilities Assess current security measures in place Establish likelihood of threat occurrence Establish potential impact of threat occurrence Determine level of risk Document complete risk analysis Periodic review and update There is no one way to do an SRA, but every method must meet these objectives 11

Top 10 Most Common Privacy/Security Violations 10. Incomplete HIPAA authorization forms 9. Exclusion of a right to revoke clause 8. Failure to establish contract with business associates 7. Release of information after the authorization period has expired 6. Errors in paper file storage and disposal 5. Failure to release patient information in a timely manner 4. Computer hacking 3. The loss of backup disks or portable drives 2. Employees inappropriately accessing, using, or transmitting PHI 1. Storing unencrypted patient information on laptops How many of these does an organization have direct control over? 12

Why Complete a Security Risk Assessment? Consider three reasons to complete an SRA: Patient Safety Public Perception Compliance All good reasons, but which is the top priority for your practice? 13

Patient Safety First, do no harm. Medical records of as many as 67.7 million people have been breached since 2009 Average of 11.5 million identities stolen every year Average cost: $4,930 per household 14

Public Perception Patients want access to their information and they want it to be safe 81% of patients have concerns about privacy and security of EHR 60% of patients believe that EHR use will result in more information being lost or stolen Patients, like any consumer, vote with their feet 15

Risk is on the Rise HIPAA Breaches increased 138% from 2012 2013 Healthcare is now the leading US industry for data breaches This is despite increased awareness of the HIPAA Security Rule due to Meaningful Use programs Factors resulting in increased risk: Increased EHR adoption Legislation (Meaningful Use, ACA) Changing landscape (ACO, HIE) 16

Risk Defined Risk is the potential (likelihood) of a negative outcome (impact) toward an asset, due to a vulnerability being exploited by a threat that would reduce the value of the asset to the organization. (NIST SP 800-30) 17

Vulnerabilities and Controls For valuable assets, we need access to utilize the value Systems are designed to permit access, but all have vulnerabilities Controls reduce or eliminate unauthorized access 18

Threats and Threat Sources Question: Do the majority of healthcare data breaches stem from an internal or external source? Often there is overlap of Internal & External sources 19

What is at risk? Confidentiality Integrity Availability 20

Security Rule Requirements Security Components Example Variables Example Security Measures Physical Safeguards Facility structure Data storage center Computer hardware Building alarm system Locked doors Monitors shielded from view Administrative Safeguards Designated security officer Staff training and oversight Information security control SRA review Technical Safeguards Controls on access to EHR Audit log monitoring Secure electronic exchanges Policies and Procedures Written P&P addressing HIPAA Security requirements Documentation of security measures Staff training Monthly review of user activity Policy enforcement New hire background checks Secure passwords Data backup Virus scans Encryption Written protocols on safeguards Record retention Periodic policy and procedure review Organizational Requirements Breach notification and other policies Business Associate agreements Periodic Business Associate Agreement review and updates 21

Good Faith Effort Compliance isn t enough You can be compliant and still suffer a breach Risk can never be eliminated Reduce risk to a reasonable and appropriate level The expectation is for organizations to put forth a good faith effort 22

HIPAA Audit Program OCR has been enforcing HIPAA since 2003 OCR random audit program set to begin in 2014 Provider compliance with Security, Privacy, and Breach Rules will be audited Most common Security deficiencies from 2012-2013 pilot audits: Lack of or incomplete SRA Unaware of Security Rule requirements 23

HIPAA Audit Program: Recent Updates Delayed indefinitely (for now) More on-site audits Fewer remote audits On-site audits to verify that policies and procedures are in place and followed! 24

SRA Process Step 1: Identify and Classify Assets Step 2: Identify and Classify Threats and Vulnerabilities Step 3: Assess Current Controls Step 4: Determine Likelihood of Threat Occurrence Step 5: Analyze Impact to Organization Step 6: Determine Level of Risk Step 7: Implement Security Controls Step 8: Ongoing Risk Management Program and Recurring SRA Review All Steps: Documentation! 25

SRA Service and Tools M-CEITA Security Risk Assessment Toolkit Follows NIST guidance (800-30 & 800-66) Work on-site with practice leaders Guide through every step of SRA process Deliver analysis and recommended plan of action to improve compliance 26

Risk Assessment Tool Sample Page 27

Sample Policy Breach Notification and Reporting Customizable to your practice! 28

Attesting to Meaningful Use Risk assessment Best performed during the 90-day reporting period CMS has allowed exceptions to this due to the CEHRT flexibility rule changes (2014 only) Must assess certified EHR technology Repeat for each reporting period Attest after you have conducted your Security Risk Assessment You do not have to correct deficiencies identified in the SRA before you attest to Meaningful Use 29

How frequently do I need to do an SRA? Recommended at least annually Significant changes to practice, technology, or environment Example: Internet Explorer and Windows XP Every year of Meaningful Use attestation 30

Conclusion Security Risk Assessments required for compliance with HIPAA and Meaningful Use Risk and regulatory oversight increasing Practices are expected to take compliance seriously and put forth a good faith effort Required: Hard work, diligence, integrity An SRA is the first step of a continuous, comprehensive Risk Management Program that will benefit your patients and your practice 31

Resources NIST SP 800-30 NIST SP 800-39 NIST SP 800-66 ONC Guide to Privacy and Security of Health Information OCR Wall of Shame HHS Final Guidance on Risk Analysis HIPAA Administrative Simplification 32

Questions? M-CEITA Contact Info: www.mceita.org 888-MICH-EHR mceita@altarum.org 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback